Wired or wireless connections may be secured at the access layer of a device. Such devices are wide ranging and include, for example, mobile phones, personal digital assistants, billboards, vending machines, and the like. This security may require that the access layer on the device be authenticated to a Network Authentication Server (NAS), which is operated by a Network Access Provider (NAP). The NAP allows a network connection between the NAS and the device once the access layer has successfully been authenticated to the NAS.
To facilitate authenticating the access layer to the NAS, systems rely on a mature infrastructure for key agreement and management. This infrastructure allows the device to be shipped out from the manufacturer after authentication keys, which are tied to the device's identity, have been generated and located on the device (in the access layer) and on the NAS. Thus, an access layer authentication attempt will fail if the device attempts to access the network and the device's identity has been spoofed.
Although this infrastructure allows a NAP to control device access to the network, it does not control accessibility of the applications (that run on the device) to use the connection. For example, the infrastructure does not enable a NAP to allow some applications running on the device, but not all applications running on the device, to use the connection. For example, in the Machine to Machine (M2M) space a single accounting relationship may exist between a user (e.g., a soda distributor) and a Network Service Provider (NSP). Based on this relationship the soda distributor services hundreds of vending machines that access the NAP associated with the NSP. A compromise in device security at the user end (enterprise) therefore can have a system wide impact across all the devices.
For example, a single vending machine may be compromised by a single virus (e.g., Trojan virus). That single breach may allow the virus to take advantage of the M2M network and spread to all the vending machines. More specifically, an application on a single vending machine, such as software that drives a display on the vending machines, may be compromised and then spread to the other vending machines causing each machine to display an inappropriate message. As another example, the network connecting the machines could be debilitated based on virus related messaging consuming all available network bandwidth. Damage may even spread from the user's network to the external NSP infrastructure.